diff --git a/pp-keycloak.nix b/pp-keycloak.nix
index 7ed9ffd..fe6a18e 100644
--- a/pp-keycloak.nix
+++ b/pp-keycloak.nix
@@ -36,6 +36,14 @@ in
     };
     initialAdminPassword = cfg.initialAdminPassword;
     database.passwordFile = cfg.dbPasswordFile;
+    # Set the permittions for the db file
+    system.activationScripts = {
+      keycloakDbFilePermission.text =
+      ''
+        chmod 400 ${cfg.dbPasswordFile}
+        chown keycloak ${cfg.dbPasswordFile}
+      '';
+    };
     database.createLocally = true;
     # TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup